FTC sues data broker for selling sensitive location info
The Federal Trade Commission (FTC) filed a lawsuit Monday against the major data broker Kochava, alleging the company offered for sale the precise geolocation data of hundreds of millions of mobile devices — revealing potentially sensitive information in what the agency says amounted to an unfair or deceptive consumer practice.
As part of its operations, Idaho-based Kochava “collects a wealth of information” about people and their mobile devices, including by purchasing it from other data brokers, and sells customized feeds, according to the FTC complaint.
Among the information it sells is precise geolocation information associated with a unique marketing ID that can be used to reveal visits to sensitive locations, such as places of worship and healthcare providers, according to the FTC. Such data can also be relatively easily tied back to an individual by observing patterns, such as regular sleep and work locations.
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection said in a press release announcing the suit, which was filed in the United States District Court for the District of Idaho. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
1. Today @FTC sued data broker Kochava for selling geolocation data that can be used to track people at addiction recovery facilities, reproductive health clinics, places of worship, shelters, and other sensitive locations.https://t.co/um54nTOHCQ— Lina Khan (@linakhanFTC) August 29, 2022
Kochava’s legal representation did not immediately respond to a request for comment about the suit. The company charges clients $25,000 for access to its location feed, and until recent months offered free samples, per the complaint.
Kochava attempted to preempt the action by suing the FTC earlier this month, alleging overreach in proposed complaints the agency shared in July and August. Shortly before suing the FTC, the company also announced a new capability called “privacy block” which it said should assuage the agency’s concerns by removing “health services location data from the Kochava Collective marketplace.”
Federal regulators have shown increased concern about the privacy of health related information in the wake of states laws criminalizing abortions after the Supreme Court overturned Roe v. Wade this summer.
That included the FTC, which warned companies in July that the agency was “committed to using the full scope of its legal authorities to protect consumers’ privacy” as it relates to sensitive location information. Earlier this month, the agency also kicked off a process that could result in it issuing consumer data and privacy security rules.
Andrea Peterson (they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.